How to Upgrade Your GitHub API Authentication

Follow me!

If you like this article, go ahead and follow me on Twitter:

Follow @getButterfly

JavaScript Code

If you’ve been getting lots of email notices when using GitHub API calls related to:

Deprecation notice for authentication via URL query parameters

Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated. If this token is being used by an app you don’t have control over, be aware that it may stop working as a result of this deprecation. Depending on your API usage, we’ll be sending you this email reminder on a monthly basis for each token and User-Agent used in API calls made on your behalf. Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Here’s what you need to know, when using access_token as a query param, if you’re currently making an API call similar to:

curl ""

Instead, you should send the token in the header:

curl -H 'Authorization: token my_access_token'

When using PHP, here’s the correct approach:

// Switch to HTTP Basic Authentication for GitHub API v3
$curl = curl_init();

curl_setopt_array($curl, [
    CURLOPT_URL => $requestUri,
        "Authorization: token " . $authorizeToken,
        "User-Agent: YourAppName"

$response = curl_exec($curl);

Using JavaScript:

var data = null;

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
    if (this.readyState === 4) {
});"GET", "");
xhr.setRequestHeader("Authorization", "token 1234567890");
xhr.setRequestHeader("User-Agent", "YourAppName");
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Cache-Control", "no-cache");
xhr.setRequestHeader("Host", "");
xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");
xhr.setRequestHeader("Connection", "keep-alive");
xhr.setRequestHeader("cache-control", "no-cache");


Or using the Fetch API:

var myHeaders = new Headers();
myHeaders.append("Authorization", "token 1234567890");

const requestOptions = {
    method: 'GET',
    headers: myHeaders,
    redirect: 'follow'

fetch("", requestOptions)
    .then(response => response.text())
    .then(result => console.log(result))
    .catch(error => console.log('error', error));

GitHub Authentication for WordPress Updater Solutions

If you are using GitHub to update your WordPress plugins (both public and private), switch to Andy Fragen’s solution. I have removed the GitHub updater from 10 plugins and 2 themes I am maintaining and switched to his GitHub Updater. I never looked back.

I wrote about this before, but maintaining a custom GitHub API solution is not worth it anymore.


πŸ‘‹ Added by Ciprian on Tuesday, March 24, 2020 in Blog. Last modified on Thursday, October 1, 2020.


Contribute to this article by sharing your opinion on Twitter:

Unlimited Automated Page Speed Monitoring & Tracking.
Use SpeedFactor to track your website. It’s simple and reliable.
See how real people experience the speed of your website. Then find (and fix) your web performance problems.
Get Started
Privacy Policy